From: Harlan Stenn <stenn@ntp.org>
Date: Wed, 19 Jan 2011 07:07:09 +0000 (-0500)
Subject: crypo group changes from Dave Mills
X-Git-Tag: NTP_4_2_7P120~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e68034f86ac281a2818417ea4763ea9cd3389a0;p=thirdparty%2Fntp.git

crypo group changes from Dave Mills

bk: 4d368d9d3rh2rXXyDmRflea_t88nSg
---

diff --git a/ChangeLog b/ChangeLog
index f99c7239c..3e34ae8e5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* crypo group changes from Dave Mills.
 * Lose the RANGEGATE check in PPS, from Dave Mills.
 * ACTS refclock cleanup from Dave Mills.
 * Documentation updates from Dave Mills.
diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c
index 6e93f4ee9..7ce51276f 100644
--- a/ntpd/ntp_crypto.c
+++ b/ntpd/ntp_crypto.c
@@ -116,8 +116,10 @@
  */
 u_int32	crypto_flags = 0x0;	/* status word */
 int	crypto_nid = KEY_TYPE_MD5; /* digest nid */
-char	*sys_hostname = NULL;	/* host name */
-char	*sys_groupname = NULL;	/* group name */
+char	*sys_hostname = NULL;
+char	*sys_groupname = NULL;
+static char *host_filename = NULL;	/* host file name */
+static char *ident_filename = NULL;	/* group file name */
 
 /*
  * Global cryptodata in network byte order
@@ -1157,10 +1159,6 @@ crypto_xmit(
 		if (vallen == 0 || vallen > MAXHOSTNAME) {
 			rval = XEVNT_LEN;
 			break;
-
-		} else {
-			memcpy(certname, ep->pkt, vallen);
-			certname[vallen] = '\0';
 		}
 
 		/*
@@ -1169,6 +1167,8 @@ crypto_xmit(
 		 * found, use that certificate. If not, use the last non
 		 * self-signed certificate.
 		 */
+		memcpy(certname, ep->pkt, vallen);
+		certname[vallen] = '\0';
 		xp = yp = NULL;
 		for (cp = cinfo; cp != NULL; cp = cp->link) {
 			if (cp->flags & (CERT_PRIV | CERT_ERROR))
@@ -3153,7 +3153,8 @@ cert_hike(
 		 */
 		peer->crypto |= CRYPTO_FLAG_CERT;
 		peer->grpkey = yp->grpkey;
-		if (peer->ident == NULL)
+		if (peer->ident == NULL || !(peer->crypto &
+		    CRYPTO_FLAG_MASK))
 			peer->crypto |= CRYPTO_FLAG_VRFY;
 	}
 
@@ -3705,11 +3706,10 @@ crypto_setup(void)
 	 * Initialize structures.
 	 */
 	gethostname(hostname, MAXFILENAME);
-	if (sys_hostname == NULL)
-		sys_hostname = strdup(hostname);
+	if (host_filename != NULL)
+		strcpy(hostname, host_filename);
 	if (passwd == NULL)
-		passwd = sys_hostname;
-
+		passwd = hostname;
 	memset(&hostval, 0, sizeof(hostval));
 	memset(&pubkey, 0, sizeof(pubkey));
 	memset(&tai_leap, 0, sizeof(tai_leap));
@@ -3781,14 +3781,13 @@ crypto_setup(void)
 		    filename);
 		exit (-1);
 	}
-
-	if (sys_groupname == NULL)
-		snprintf(filename, MAXFILENAME, "%s", sys_hostname);
-	else
-		snprintf(filename, MAXFILENAME, "%s@%s", sys_hostname,
-		    sys_groupname);
-	hostval.vallen = htonl(strlen(filename));
-	hostval.ptr = strdup(filename);
+	hostval.ptr = strdup(cinfo->subject);
+	hostval.vallen = htonl(strlen(cinfo->subject));
+	sys_hostname = hostval.ptr;
+	if ((ptr = strchr(sys_hostname, (int)'@')) != NULL)
+		sys_groupname = strdup(++ptr);
+	if (ident_filename != NULL)
+		strcpy(hostname, ident_filename);
 
 	/*
 	 * Load optional IFF parameters from file
@@ -3856,16 +3855,14 @@ crypto_config(
 	 * Set host name (host).
 	 */
 	case CRYPTO_CONF_PRIV:
-		sys_hostname = emalloc(strlen(cp) + 1);
-		strcpy(sys_hostname, cp);
+		host_filename = strdup(cp);
 		break;
 
 	/*
 	 * Set group name (ident).
 	 */
 	case CRYPTO_CONF_IDENT:
-		sys_groupname = emalloc(strlen(cp) + 1);
-		strcpy(sys_groupname, cp);
+		ident_filename = strdup(cp);
 		break;
 
 	/*
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 6ef704d42..f92490051 100644
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -130,11 +130,14 @@ static	void	pool_xmit	(struct peer *);
 static	void	clock_update	(struct peer *);
 static	int	default_get_precision (void);
 static	int	peer_unfit	(struct peer *);
+#ifdef AUTOKEY
+static	int	group_test	(char *, char *);
+#endif /* AUTOKEY */
 #ifdef WORKER
 void	pool_name_resolved	(int, int, void *, const char *,
 				 const char *, const struct addrinfo *,
 				 const struct addrinfo *);
-#endif
+#endif /* WORKER */
 
 
 /*
@@ -354,6 +357,8 @@ receive(
 	l_fp	p_rec;			/* receive timestamp */
 	l_fp	p_xmt;			/* transmit timestamp */
 #ifdef AUTOKEY
+	char	hostname[NTP_MAXSTRLEN + 1];
+	char	*groupname = NULL;;
 	struct autokey *ap;		/* autokey structure pointer */
 	int	rval;			/* cookie snatcher */
 	keyid_t	pkeyid = 0, tkeyid = 0;	/* key IDs */
@@ -472,6 +477,9 @@ receive(
 	has_mac = rbufp->recv_length - authlen;
 	while (has_mac != 0) {
 		u_int32	len;
+#ifdef AUTOKEY
+		struct exten *ep;
+#endif /*AUTOKEY */
 
 		if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
 			sys_badlength++;
@@ -483,12 +491,30 @@ receive(
 
 		} else {
 			opcode = ntohl(((u_int32 *)pkt)[authlen / 4]);
- 			len = opcode & 0xffff;
+			len = opcode & 0xffff;
 			if (len % 4 != 0 || len < 4 || (int)len +
 			    authlen > rbufp->recv_length) {
 				sys_badlength++;
 				return;		/* bad length */
 			}
+#ifdef AUTOKEY
+
+			/*
+			 * Extract calling group name for later.
+			 */
+			if ((opcode & 0x3fff0000) == CRYPTO_ASSOC &&
+			    sys_groupname != NULL) {
+				ep = (struct exten *)&((u_int32 *)pkt)[authlen / 4];
+				memmove(hostname, &ep->pkt, ntohl(ep->vallen));
+				hostname[ntohl(ep->vallen)] = '\0';
+				groupname = strchr(hostname, '@');
+				if (groupname == NULL)
+					return;
+
+				else
+					groupname++;
+			}
+#endif /* AUTOKEY */
 			authlen += len;
 			has_mac -= len;
 		}
@@ -776,6 +802,16 @@ receive(
 			return;			/* not enabled */
 		}
 
+#ifdef AUTOKEY
+		/*
+		 * Do not respond if not the same groupl;
+		 */
+		if (group_test(groupname, NULL)) {
+			sys_declined++;
+			return;
+		}
+#endif /* AUTOKEY */
+
 		/*
 		 * Do not respond if we are not synchronized or our
 		 * stratum is greater than the manycaster or the
@@ -818,6 +854,16 @@ receive(
 	 * the guy is already here, don't fire up a duplicate.
 	 */
 	case AM_MANYCAST:
+
+#ifdef AUTOKEY
+		/*
+		 * Do not respond if not the same groupl;
+		 */
+		if (group_test(groupname, NULL)) {
+			sys_declined++;
+			return;
+		}
+#endif /* AUTOKEY */
 		if ((peer2 = findmanycastpeer(rbufp)) == NULL) {
 			sys_restricted++;
 			return;			/* not enabled */
@@ -869,6 +915,16 @@ receive(
 	 * kiss any frogs here.
 	 */
 	case AM_NEWBCL:
+
+#ifdef AUTOKEY
+		/*
+		 * Do not respond if not the same groupl;
+		 */
+		if (group_test(groupname, sys_ident)) {
+			sys_declined++;
+			return;
+		}
+#endif /* AUTOKEY */
 		if (sys_bclient == 0) {
 			sys_restricted++;
 			return;			/* not enabled */
@@ -943,8 +999,8 @@ receive(
 		 */
 		if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
 		    rbufp->dstadr, MODE_CLIENT, hisversion, pkt->ppoll,
-		    pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid, sys_ident)) ==
-		    NULL) {
+		    pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid,
+		    sys_ident)) == NULL) {
 			sys_restricted++;
 			return;			/* ignore duplicate */
 		}
@@ -961,6 +1017,16 @@ receive(
 	 * mobilize a passive association. If not, kiss the frog.
 	 */
 	case AM_NEWPASS:
+
+#ifdef AUTOKEY
+		/*
+		 * Do not respond if not the same groupl;
+		 */
+		if (group_test(groupname, sys_ident)) {
+			sys_declined++;
+			return;
+		}
+#endif /* AUTOKEY */
 		if (!AUTH(sys_authenticate | (restrict_mask &
 		    (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
 
@@ -1004,7 +1070,8 @@ receive(
 		 */
 		if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
 		    rbufp->dstadr, MODE_PASSIVE, hisversion, pkt->ppoll,
-		    NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid, sys_ident)) == NULL) {
+		    NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid,
+		    sys_ident)) == NULL) {
 			sys_declined++;
 			return;			/* ignore duplicate */
 		}
@@ -1015,6 +1082,16 @@ receive(
 	 * Process regular packet. Nothing special.
 	 */
 	case AM_PROCPKT:
+
+#ifdef AUTOKEY
+		/*
+		 * Do not respond if not the same groupl;
+		 */
+		if (group_test(groupname, peer->ident)) {
+			sys_declined++;
+			return;
+		}
+#endif /* AUTOKEY */
 		break;
 
 	/*
@@ -3022,7 +3099,7 @@ peer_xmit(
 			 */
 			if (!peer->crypto)
 				exten = crypto_args(peer, CRYPTO_ASSOC,
-				    peer->associd, sys_hostname);
+				    peer->associd, hostval.ptr);
 			else if (!(peer->crypto & CRYPTO_FLAG_CERT))
 				exten = crypto_args(peer, CRYPTO_CERT,
 				    peer->associd, peer->issuer);
@@ -3065,7 +3142,7 @@ peer_xmit(
 
 			else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
 				exten = crypto_args(peer, CRYPTO_SIGN,
-				    peer->associd, sys_hostname);
+				    peer->associd, hostval.ptr);
 			else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
 				exten = crypto_args(peer, CRYPTO_LEAP,
 				    peer->associd, NULL);
@@ -3089,7 +3166,7 @@ peer_xmit(
 			 */
 			if (!peer->crypto)
 				exten = crypto_args(peer, CRYPTO_ASSOC,
-				    peer->associd, sys_hostname);
+				    peer->associd, hostval.ptr);
 			else if (!(peer->crypto & CRYPTO_FLAG_CERT))
 				exten = crypto_args(peer, CRYPTO_CERT,
 				    peer->associd, peer->issuer);
@@ -3120,7 +3197,7 @@ peer_xmit(
 
 			else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
 				exten = crypto_args(peer, CRYPTO_SIGN,
-				    peer->associd, sys_hostname);
+				    peer->associd, hostval.ptr);
 			else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
 				exten = crypto_args(peer, CRYPTO_LEAP,
 				    peer->associd, NULL);
@@ -3482,6 +3559,39 @@ pool_xmit(
 }
 
 
+#ifdef AUTOKEY
+	/*
+	 * group_test - test if this is the same group
+	 *
+	 * host		assoc		return		action
+	 * none		none		0		mobilize *
+	 * none		group		0		mobilize *
+	 * group	none		0		mobilize *
+	 * group	group		1		mobilize
+	 * group	different	2		ignore
+	 * * ignore if notrust
+	 */
+int group_test(
+	char	*group,
+	char	*ident
+	)
+{
+	if (group == NULL)
+		return (0);
+
+	if (strcmp(group, sys_groupname) == 0)
+		return (0);
+
+	if (ident == NULL)
+		return (1);
+
+	if (strcmp(group, ident) == 0)
+		return (0);
+
+	return (1);
+}
+#endif /* AUTOKEY */
+
 #ifdef WORKER
 void
 pool_name_resolved(